Bug 1739355

Summary:	comm="abrt-action-ins" name="satellite-5-client.module"
Product:	Red Hat Enterprise Linux 8	Reporter:	Petr Sklenar <psklenar>
Component:	selinux-policy	Assignee:	Lukas Vrabec <lvrabec>
Status:	CLOSED DUPLICATE	QA Contact:	BaseOS QE Security Team <qe-baseos-security>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	8.0	CC:	lvrabec, mmalik, plautrba, ssekidde, zpytela
Target Milestone:	rc
Target Release:	8.0
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2019-08-09 10:28:34 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Petr Sklenar 2019-08-09 07:07:19 UTC

Description of problem:
I really have no idea about step to reproduce. I could this satellite module denial during cups tetsing?
I can see the bug rarely during the testing of rhel81:

https://beaker.engineering.redhat.com/tasks/executed?recipe_task_id=97369741&recipe_task_id=97362276&recipe_task_id=97352066&recipe_task_id=97351904&new_pkg_tasks=97369741,97362276,97352066,97351904


Version-Release number of selected component (if applicable):
selinux-policy-3.14.3-13.el8.noarch

How reproducible:
2x during hundreds

Steps to Reproduce:
1. reshcedule https://beaker.engineering.redhat.com/tasks/executed?recipe_task_id=97369741&recipe_task_id=97362276&recipe_task_id=97352066&recipe_task_id=97351904&new_pkg_tasks=97369741,97362276,97352066,97351904
2.
3.

Actual results:
http://beaker-archive.host.prod.eng.bos.redhat.com/beaker-logs/2019/08/37117/3711720/7206167/97352066/447017256/avc.log
:


SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      31
selinux-policy-3.14.3-13.el8.noarch
----
time->Tue Aug  6 15:58:30 2019
type=PROCTITLE msg=audit(1565121510.955:1982): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002D75002F7573722F62696E2F616272742D616374696F6E2D696E7374616C6C2D6465627567696E666F002D79
type=PATH msg=audit(1565121510.955:1982): item=0 name="/etc/dnf/modules.d/satellite-5-client.module" inode=135 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:root_t:s0 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1565121510.955:1982): cwd="/var/spool/abrt/ccpp-2019-08-06-15:58:28.464652-19547"
type=SYSCALL msg=audit(1565121510.955:1982): arch=c0000015 syscall=286 success=no exit=-13 a0=ffffffffffffff9c a1=1001aca27c0 a2=0 a3=0 items=1 ppid=20502 pid=20527 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrt-action-ins" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1565121510.955:1982): avc:  denied  { read } for  pid=20527 comm="abrt-action-ins" name="satellite-5-client.module" dev="dm-0" ino=135 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=0

Expected results:
no denial

Additional info:

Comment 1 Milos Malik 2019-08-09 10:19:31 UTC

I believe this bug is a duplicate of BZ#1734403.

Comment 2 Lukas Vrabec 2019-08-09 10:28:34 UTC


*** This bug has been marked as a duplicate of bug 1734403 ***